It is bother me I cannot access my home web-based services from home network on the same way I accessed them from outside of my home network. Especially, I have changed provider recently and with old provider it was working, I believe because of his router (I had two routers, external one from provider, another one - mine mikroik, yes, it was double NAT). Now, with new provider, I have provider’s modem ↔ my mikrotik routerhave, and loopback is not working. I’ve understood this is because of NAT loopback problem, I’ve seen some solutions how to fix it.
I have multiple port-forwarding rules, with different ports, with different internal IPs, I wold like to access all that stuff from inside using the same links as from outside.
But I have never seen solution how to enable loopback globally, for all ports, I do not want to create two or three rules per port because I have many of them. With old provider it was working like i would like to. Is this possible to achieve with mikrotik?
The old setup was working because your provider’s router was doing the loopback.
There is no single rule to reroute incoming traffic through the prerouting chain of your WAN, so that DNAT rules are obeyed.
The solution could be to rewrite those DNAT and input rules, so they don’t use interfaces on their definitions, just IPs or address lists (for dynamic IPs). In this case, the rules will work no matter the incoming interface, including hairpin.
Could you please give some links to read about it?
P.s. Actually, i have added static record to mikrotik dns configuration and it covers majority of links, since these links are to one ip in internal network, to my nas. But external ports forwarded to other internal ip (i still have few)is not covered by this solution…
Instead of getting NAT loopback working, in my opinion it would make more sense to solve this by DNS. Have your MikroTik work as a DNS server for your clients and have all services that run internally resolved to the internal IP address.
Using the DNS will still not solve the issue.
Let’s say you have some ports used by the router (e.g. ssh access, or VPN terminations), a DVR on one internal IP and a web server on another.
To which internal IP should the host name be “masqueraded” via DNS? In neither case will all port forwards be honored. The solution I posted solves port forwarded destinations this without additional rules.
I have just setup static dns record, it solves a lot of problem with majority of links, but cannot solve all, if port translation is using to redirect to different internal IPs.
For example, <My_External_IP>:80 redirect me to 192.168.0.5:80 (web server, NAS), and <My_External_IP>:8080 redirect me to 192.168.0.10:80 (administrative control panel for my reserve NAS).
In this case DNS together with a reverse proxy will do just fine. Make sure all the services have their own name. This way you don’t have to do port translation.
Combine it with dstnat suggested by docmarius (using dst-address=<your_public_ip>, to work from both internet and LAN) and any forwarded port will also work from LAN.
DNS is nice too and it’s good idea to use it for any high traffic services where you don’t want your packets take “shorcut” through router. But for something small it’s just too much work to keep things synchronized, plus not everything uses DNS.